Thursday, November 3, 2011

Complete DHS Daily Report for November 3, 2011

Daily Report

Top Stories

• Federal prosecutors sued Allied Home Mortgage Corp. and two of its officers, claiming one of the nation’s largest lenders committed serial frauds that could result in $1 billion in losses. – Courthouse News Service See item 12 below in the Banking and Finance Sector

• Four men in Georgia were charged with planning to use the lethal toxin ricin to attack government buildings and employees in several cities. – Associated Press (See item 33)

33. November 2, Associated Press – (National; Georgia) 4 men in Ga. accused of planning ricin attacks. Four men in Georgia intended to use an online novel as a scripfor a real-life wave of terror and assassination using explosives and the lethal toxin ricin, according to court documents. Federal agents raided their north Georgia homes November 1 and arrested them on charges of conspiring to plan the attacks. The four men are scheduled to appear in court November 3. Relatives of two of the men said thecharges were baseless. Court documents accused the men of trying to obtain an explosive device and a silencer to carry out targeted attacks on government buildings and employees. Two of the men are also accused of trying to seek out a formula to produce ricin, a biological toxin that can be lethal in small doses. One suspect discussed ways of dispersing ricin from an airplane in the sky over Washington D.C., court records state. Another suspected member of the group intended to use the plot of an online novel as a model for plans to attack U.S. federal law officers and others, authorities said. Court documents state the 73-year-old man told others he intended to model their actions on the online novel “Absolved,” which involves small groups of citizens attacking U.S. officials. Investigators said the four men took several concrete steps to carry out their plans. One suspect is accused of driving to Atlanta with a confidential informant to scope out federal buildings that house the IRS and other agencies. He and another suspect also arranged to buy what they thought was an explosive device and a silencer from an undercover agent. The men were arrested days after a lab test confirmed they had trace amounts of ricin in their possession, authoritiesaid. Court records indicate at least two of the suspects are former federal employees. Prosecutors say one suspect said he would like to make 10 pounds of ricin and simultaneously place it in several U.S. cities. Source:


Banking and Finance Sector

11. November 2, Arlington Heights Daily Herald – (Illinois) Ex-Crystal Lake man charged in $34 million Ponzi scheme. A former Crystal Lake, Illinois man has been charged as a new defendant in a pending Ponzi scheme case that caused losses of about $34 million, authorities said November 1. The man now joins a co-defendant to face charges the two tricked about 400 victims into investing more than $105 million to fund their scheme, authorities said. According to a federal indictment, the man acted as a sales agent and trader for a dozen investment funds operated in the U.S. Virgin Islands under the title of “Kenzie Funds.” He and his co-defendant misused the money they raised for their own benefit, and to make Ponzi-type payments totaling about $71 million to certain investors, the U.S. attorney’s office said. The men informed investors their money would be used primarily in foreign currency trading, and that Kenzie Funds had never lost money and had achieved profitable historical returns, according to the indictment. Between 2004 and July 2010, the defendants misappropriated a large part of the $105 million. The man was charged with 10 counts of mail fraud and six counts of filing false individual and corporate income tax returns, while his co-defendant is facing 10 counts of mail fraud. The indictment seeks forfeiture against both men of about $34 million. The man was also charged with six counts of filing false federal income tax returns between 2005 and 2007. Source:

12. November 2, Courthouse News Service – (National) Allied Mortgage fraud could cost taxpayers $1 billion, USA says. Federal prosecutors sued Allied Home Mortgage Corp. and two of its top officers November 1, claiming one of the nation’s largest privately held mortgage lenders committed serial frauds that cost taxpayers hundreds of millions of dollars, and cost thousands of people their homes. More than 30 percent of the 110,000 Federal Housing Administration (FHA) mortgages Allied originated in the past decade are in default, and the default rate for loans in 2006-07 climbed to 55 percent, prosecutors said. The FHA has paid $834 million “for mortgages originated and fraudulently certified by Allied that are now in default,” the U.S. attorney’s office said in announcing the lawsuit. “An additional 2,509 loans are currently in default but not yet in claims status, which could result in additional insurance claims paid by the HUD [U.S. Department of Housing and Urban Development] amounting to $363 million.” The nine-count complaint claims Allied, its CEO, and executive vice president (VP) and compliance director, defrauded the government and taxpayers by “knowingly and intentionally submit(ing) false loan certifications to the HUD by originating FHA loans out of shadow branches;” made false statements to HUD; made false annual certifications to HUD; made false branch certifications to HUD; violated the False Claims Act; and made false loan certifications to HUD. “Allied’s concealed corruption continued in part because [the CEO] persistently monitored and intimidated senior managers and other employees,” prosecutors claim. “[He] also required employees to sign extremely broad confidential agreements and has sued numerous former employees for the slightest perceived breach, including a former tax manager for speaking to the IRS.” Prosecutors said Allied ran hundreds of “shadow,” unapproved branch offices that originated FHA loans, and deceived the HUD by using the ID number of a HUD-approved branch on the applications. Source:

13. November 2, Middletown Times Herald-Record – (New York) Bank evacuated after staff gets ill; cause unknown. One person was taken to the hospital in Montgomery, New York, November 1 after multiple people at a Key Bank complained of dizziness, nausea, and headaches, town police said. At around 3:20 p.m., a Montgomery police lieutenant said he received a complaint of people feeling ill at the Key Bank at 1031 Route 17K. When police arrived, two bank tellers and a manager said they felt dizzy and nauseous. The officer on scene at the bank also began getting a headache. The bank was evacuated and cordoned off, the lieutenant said. One person was sent to St. Luke’s Cornwall Hospital complaining of dizziness and a headache, and another refused treatment. An Orange County haz-mat team checked carbon monoxide levels, but they were not sure of what caused the illnesses. Source:

14. November 1, U.S. Department of Treasury – (National) The passage of late legislation and incorrect computer programming delayed refunds for some taxpayers during the 2011 filing season. According to a report released November 1 by the Treasury Inspector General for Tax Administration, as of April 30, 2011, the IRS had identified 775,723 tax returns with $4.6 billion claimed in fraudulent refunds and prevented the issuance of $4.4 billion (96 percent) of those fraudulent refunds. The IRS also selected 199,854 tax returns filed by prisoners for fraud screening, a 256 percent increase compared to last year. However, the IRS review found implementing some legislative provisions such as the First-Time Homebuyer Credit, Adoption Credit, Nonbusiness Energy Property Credits, and Plug-in Electric and Alternative Motor Vehicle Credits resulted in an inability to identify to the Internal Revenue Service Commissioner 140,596 taxpayers erroneously claiming $140.2 million. In addition, 26,649 taxpayers had their Homebuyer Credit inaccurately processed, $5.8 million in repayment amounts was not assessed, and $675,063 in repayment amounts was erroneously assessed. Source:

15. November 1, U.S. Commodity Futures Trading Commission – (North Carolina) Federal court orders Charlotte, NC, couple and their companies to pay $24 million for defrauding customers in foreign currency Ponzi scheme. The U.S. Commodity Futures Trading Commission (CFTC) November 1 announced it obtained a federal court supplemental consent order requiring two defendants and their companies, Queen Shoals, LLC, Queen Shoals II, LLC, and Select Fund, LLC, to pay $24 million in restitution and civil monetary penalties for defrauding customers and misappropriating millions of dollars in a foreign currency (forex) Ponzi scheme. In addition, the supplemental consent order requires the following relief defendants to disgorge ill-gotten gains totaling $23.3 million because they received funds as a result of the defendants’ fraudulent conduct to which they had no legitimate entitlement: Secure Wealth Fund, LLC; Heritage Growth Fund, LLC; Dominion Growth Fund, LLC; Two Oaks Fund, LLC; Dynasty Growth Fund, LLC; and Queen Shoals Group, LLC. According to the CFTC’s complaint, starting in at least June 2008 and continuing through the present, the defendants fraudulently solicited at least $22 million from individuals and/or entities for the purported purpose of trading off-exchange forex on their behalf. In their personal and Web site solicitations, defendants falsely claimed success in trading forex, guaranteed customers profits through use of “non-depletion accounts,” represented that there would be no risk to customers’ principal investment, and lured prospective customers with promises of returns of 8 to 24 percent, according to the complaint. The defendants claimed to pool customers’ funds and then to use the profits generated by trading forex, along with gold and silver bullion, to guarantee payments to customers at the end of the 5-year “promissory note” period. In reality, however, defendants deposited little or none of customers’ funds into forex trading accounts. The defendants misappropriated customer funds for personal use or to make purported profit payments or return principal to existing customers. Source:

16. November 1, KMGH 7 Denver – (Colorado) Colo. credit card scam traced to theaters, other locations. Loveland, Colorado police said November 1 they have traced the large credit and debit card fraud in northern Colorado to many common locations. While officers are not releasing the entire list yet, they said one location was the Loveland Metrolux 14 in the Promenade Shops at Centerra. Investigators said the theater’s parent company, Metropolitan Theaters, hired an outside forensic analysis team to inspect its data transmission systems. Theater officials said the analysis showed there had been an external breach into the theater’s computer system initiated from outside the organization, police said. The theater company said measures have been put into place to remove the breach and make sure the systems are now secure. Loveland Police investigators said there are 1,180 related fraud cases that have been reported to law enforcement throughout northern Colorado. Purchases have been made online and in person, implying someone is printing new, physical cards with account numbers. Source:

17. November 1, KHON 2 Honolulu – (Hawaii) Nine indicted in identity theft ring bust. Authorities said November 1 they believe they have arrested the nine remaining members of an identity theft ring that has victimized 256 Oahu, Hawaii residents and businesses. The nine suspects were indicted by an Oahu grand jury on more than 150 counts of identity theft related crimes. Four other ring members have already been convicted and sentenced to 10 years in prison, and the alleged ring leader of the scheme is awaiting trial. Prosecutors believe the suspects stole more than $200,000 over 8 months starting in May 2010. Prosecutors believe the group created fake ids and counterfeit checks, and cashed them. The bust is the result of a 13-month investigation by police, sheriff’s deputies, prosecutors, and federal agencies. Source:

For another story see item 38 below in the Information Technology Sector

Information Technology Sector

36. November 2, IDG News Service – (International) Secunia offers to coordinate vulnerability disclosure on behalf of researchers. Danish vulnerability management company Secunia aims to make the task of reporting software vulnerabilities easier for security researchers by offering to coordinate disclosure with vendors on their behalf, IDG News Service reported November 2. The Secunia Vulnerability Coordination Reward Programme (SVCRP) is the latest addition to a list of offerings such as TippingPoint’s Zero Day Initiative or Verisign’s iDefense Labs Vulnerability Contributor Program that allow researchers to avoid having to deal with different vendor bug reporting policies. However, according to Secunia’s chief security specialist, the SVCRP is meant to complement these programs. Secunia plans to accept vulnerabilities other programs reject, regardless of their classification and as long as they are in off-the-shelf products. Flaws discovered in online services such as Facebook, for example, do not qualify. The company will not profit directly from the SVCRP and does not plan to provide advance notification about the reported flaws to its customers, as other companies do. Researchers will continue to receive payments they are entitled to from vendors for disclosing vulnerabilities even if they use the SVCRP for coordination, Secunia said. However, vendors will have the final word on whether they will pay out rewards to researchers who offload vulnerability coordination work to companies such as Secunia. Source:

37. November 1, Computerworld – (International) Update: Duqu exploits zero-day flaw in Windows kernel. The Duqu trojan infects systems by exploiting a previously unknown Windows kernel vulnerability that is remotely executable, security vendor Symantec said November 1. Symantec said in a blog post that CrySys, the Hungarian research firm that discovered the Duqu trojan earlier in October, has identified a dropper file that was used to infect systems with the malware. The installer file is a malicious Microsoft Word document designed to exploit a zero-day code execution vulnerability in the Windows kernel. “When the file is opened, malicious code executes and installs the main Duqu binaries” on the compromised system, Symantec said. According to Symantec, the malicious Word document in the recovered installer appears to have been specifically crafted for the targeted organization. The file was designed to ensure that Duqu would only be installed during a specific 8-day window in August, Symantec noted. No known workarounds exist for the zero-day vulnerability that Duqu exploits. The installer that was recovered is one of several that may have been used to spread the trojan. It is possible that other methods of infection are also being used to spread Duqu, Symantec noted. Source:

38. November 1, threatpost – (International) Zeus now using autorun as infection numbers rise. After tapering off, the Zeus trojan has been staging a comeback over the last few months, possibly using a new infection routine that leverages Windows’ autorun feature even after a company update to limit infections that use it, according to research by Microsoft. Microsoft’s Malicious Software Removal Tool removed the common banking trojan horse program from 185,000 computers in September and the company expects more than 100,000 removals in October, according to a new post on Microsoft’s Threat Research and Response blog. The growth spurt reflects Zbot’s growing use of Windows autorun functionality, said the senior anti virus research lead at Microsoft. Source:

39. November 1, The Register – (International) Researchers propose simple fix to thwart e-voting attack. Researchers have devised a simple procedure that can be added to many electronic voting machine routines to reduce the success of insider attacks that attempt to alter results, The Register reported November 1. The approach, laid out in a short research paper, augments the effectiveness of end-to-end verifiable election systems, such as the Scantegrity and the MarkPledge. They are designed to generate results that can be checked by anyone, by giving each voter a receipt that contains a cryptographic hash of the ballot contents. The researchers propose chaining the hash of each receipt to the contents of the previous receipt. By linking each hash to the ballot cast previously, the receipt serves not only as a verification that its votes have not been altered, but also as confirmation that none of the votes previously cast on the same machine have been tampered with. The procedure is intended to reduce the success of what is known as a trash attack, in which election personnel or other insiders comb through the contents of garbage cans near polling places for discarded receipts. The presence of the discarded receipts is often correlated with votes that can be altered with little chance of detection. The running hash is designed to make it harder for insiders to change more than a handful of votes without the fraud being easy to detect. Source:

40. November 1, IDG News Service – (National) Researchers defeat CAPTCHA on popular Websites. Researchers from Stanford University developed an automated tool capable of deciphering text-based anti-spam tests used by many popular Web sites with a significant degree of accuracy. The researchers presented the results of their 18-month long CAPTCHA study at the recent ACM Conference On Computer and Communication Security in Chicago. CAPTCHA stands for ‘Completely Automated Public Turing test to tell Computers and Humans Apart’ and consists of challenges that only humans are supposed to be capable of solving. Web sites use such tests to block spam bots that automate tasks such as account registration and comment posting. There are various types of CAPTCHAs, some using audio, others using math problems, but the most common implementations rely on users typing back distorted text. The Stanford team devised various methods of cleaning up purposely introduced image background noise and breaking text strings into individual characters for easier recognition, a technique called segmentation. Some of their CAPTCHA-breaking algorithms are inspired by those used by robots to orient themselves in various environments and were built into an automated tool dubbed Decaptcha. This tool was then run against CAPTCHAs used by 15 high-profile Web sites. The results revealed tests used by Visa’s payment gateway could be beaten 66 percent of the time, while attacks on Blizzard’s World of Warcraft portal had a success rate of 70 percent. For eBay, CAPTCHA implementation failed 43 percent of the time, and for Wikipedia, one in four attempts was successful. Lower success rates were found on Digg, CNN, and Baidu — 20, 16, and 5 percent respectively. Source:

41. November 1, CNET – (International) Socialbots’ steal 250GB of user data in Facebook invasion. Programs designed to resemble humans infiltrated Facebook recently and made off with 250 gigabytes of personal information belonging to thousands of the social network’s users, researchers said in an academic paper released November 1. The 8-week study was designed to evaluate how vulnerable online social networks were to large-scale infiltrations by programs designed to mimic real users, researchers from the University of British Columbia Vancouver said in the paper, titled “The Socialbot Network: When bots socialize for fame and money.” The 102 “socialbots” researchers released onto the social network included a name and profile picture of a fictitious Facebook user and were capable of posting messages and sending friend requests. They then used these bots to send friend requests to 5,053 randomly selected Facebook users. Each account was limited to sending 25 requests per day to prevent triggering anti-fraud measures. During that initial 2-week “bootstrapping” phase, 976 requests, or about 19 percent, were accepted. During the next 6 weeks, the bots sent connection requests to 3,517 Facebook friends of users who accepted requests during the first phase. Of those, 2,079 users, or about 59 percent, accepted the second round of requests. The increase was due to what researchers called the “triadic closure principle,” which predicts that if two users had a mutual friend in common, they were three times more likely to become connected. Researchers found social networks were “highly vulnerable” to a large-scale infiltration, with an 80-percent infiltration rate. Source:

For more stories, see items 16 above in the Banking and Finance Sector and 43 below in the Communications Sector

Communications Sector

42. November 2, KMGH 7 Denver – (Colorado) Guardrail work blamed for NW Colo. cellphone outages. Guardrail work near Dillon, Colorado, was blamed for a severed fiber-optic cable that cut cellphone service to thousands of customers in northwest Colorado October 31. The cable cut knocked out cellphone service for Verizon, AT&T, Cricket, Sprint, and T-Mobile customers. The severed CenturyLink line also disrupted long-distance phone service for land lines and Internet service, according to the Summit Daily. Ideal Fencing of Erie said it checked before starting work and was informed the area was clear of utility lines, the newspaper reported. A CenturyLink spokesman said his firm did a “temporary fix” on the damaged cable October 31 to restore cellphone and other services, the newspaper reported. Source:

43. November 1, Yuma Sun – (Arizona) Fire damages Yuma home; disrupts area Internet, cable and phone services. A Yuma, Arizona house fire damaged a Time Warner fiber optics cable November 1, disrupting Internet, cable television, and phone services for thousands of customers in Somerton, San Luis, the Foothills, and parts of Yuma. “Some of our fiber lines were melted by a nearby fire,” a Time Warner business manager said. “We have our construction members out there and they are determining if there is any additional damage.” The business manager said November 1 that service should be restored before the end of the day. The cause of the fire was under investigation. Source:

44. November 1, KTVL 10 Medford – (Oregon) CenturyLink Jackson Co. outages repaired. CenturyLink informed KTVL 10 Medford the evening of November 1 that their systems were back online and fully functional in Jackson County, Oregon following an equipment failure. Landline phone customers in the Rogue River and Gold Hill areas were without service the afternoon of November 1. A CenturyLink spokesman said crews were trying to determine what caused the outage. The outage affected 911 service in area. The director of Jackson County’s 911 Center said the county sent dispatchers and sheriff’s deputies to the affected areas. Source:

For another story see item 41 above in the Information Technology Sector

Wednesday, November 2, 2011

Complete DHS Daily Report for November 2, 2011

Daily Report

Top Stories

• At least 48 chemical and defense companies, many in the United States, were victims of a coordinated cyber attack traced to a man in China, said security firm Symantec Corp. – Reuters (See item 6)

6. October 31, Reuters – (International) New cyber attack targets chemical firms: Symantec. At least 48 chemical and defense companies were victims of a coordinated cyber attack traced to a man in China, according to a report from security firm Symantec Corp. Computers belonging to these companies were infected with malicious software known as "PoisonIvy," which was used to steal information such as design documents, formulas, and details on manufacturing processes, Symantec said October 31. It said the firms included multiple Fortune 100 corporations that develop compounds and advanced materials, along with businesses that help manufacture infrastructure for these industries. The bulk of the infected machines were based in the United States and United Kingdom, Symantec said, adding the victims include 29 chemicals companies, some of which developed advanced materials used in military vehicles. "The purpose appears to be industrial espionage, collecting intellectual property for competitive advantage," Symantec said in a white paper on the campaign that it dubbed the "Nitro" attacks. The cyber campaign ran from late July through mid-September and was traced to a computer system in the United States owned by a man in his 20s in Hebei province in China, according to Symantec. Researchers said they were not able to determine if the hacker, who they dubbed "Covert Grove", acted alone or conducted the attacks on behalf of another party or parties. Symantec said the Nitro attackers sent e-mails with tainted attachments to between 100 and 500 employees at a company, claiming to be from established business partners or to contain bogus security updates. When a recipient opens the attachment, it installs "PoisonIvy," a Remote Access Trojan that can take control of a machine and that is easily available over the Internet. While the hackers' behavior differed slightly in each case, they typically identified desired intellectual property, copied it, and uploaded it to a remote server, Symantec said in its report. Dow Chemical Co said it detected "unusual e-mails being delivered to the company" last summer, and worked with law enforcers to address this situation. Source:

• MF Global failed to protect customer accounts by keeping them separate from the firm's funds, leading to the disappearance of hundreds of millions of dollars, according to a U.S. regulator. – Reuters (See item 20)

20. November 1, Reuters – (National; International) Clients scramble for money after MF Global shock. MF Global failed to protect customer accounts by keeping them separate from the firm's funds, a top U.S. regulator said November 1, as administrators to the collapsed brokerage's United Kingdom (UK) arm scrambled to close out billions of dollars worth of client positions. The fall of the group sent shockwaves through commodities markets, as traders feared the damage could spread, or similar problems occur with other players. KPMG, appointed as administrators to MF Global's UK arm, said it had been busy closing out positions all day under a new UK regime set up to prevent a repeat of the slow and painful work-out of the 2008 collapse of Lehman Brothers. KPMG's head of restructuring told Reuters he was confident clients would see their money again: "Our strategy this morning has been ... where we have clients whose position is reconciled, and are due funds, then that money will flow," he said. MF Global's main exchange regulator, the Chicago Mercantile Exchange Group (CME), said the futures broker failed to keep customers accounts separate from the firm's funds, violating a central tenet of futures brokerage. "CME has determined MF Global is not in compliance with Commodity Futures Trading Commission and CME customer segregation requirements," the company's chief executive said. The New York Times reported federal regulators discovered that hundreds of millions of dollars in customer money — supposed to be segregated, and protected from the rest of the business — had gone missing. MF Global filed for bankruptcy protection October 31. In Australia, trading in grain futures and options was suspended by bourse operator ASX Ltd , prompting concerns about the integrity of the country's agricultural futures market. The London Metal Exchange said in a statement it had suspended MF Global from trading with immediate effect, following a similar move by the CME Group. Source:


Banking and Finance Sector

17. November 1, Philadelphia Inquirer – (National) 'Little Nicky' Scarfo's son charged in massive fraud. The son of a jailed Philadelphia mob boss was arrested November 1 on racketeering and fraud charges tied to what federal authorities allege was a massive scheme to defraud a Texas-based financial firm out of millions of dollars. He was one of more than a dozen individuals named in the indictment announced by the U.S. attorney's office in Camden, New Jersey. The man's father and another jailed mob boss were named as unindicted coconspirators in what the indictment charges was a mob-linked criminal enterprise set up to siphon millions from FirstPlus Financial. A former Elkins Park businessman, a south Jersey criminal defense attorney, and several former officials with FirstPlus Financial were among the 13 defendants named in the indictment. Other defendants include accountants, lawyers, and company officials who the indictment alleges were part a scheme set up to loot FirstPlus. The indictment capped a 3-year investigation by the FBI that became public after search warrants were issued in May 2008 for businesses and homes in Philadelphia, New Jersey, Florida, and Texas. Authorities allege the mobster's son and the Elkins Park businessman were behind-the scenes operatives who orchestrated a series of business deals in which FirstPlus bought or invested in companies the two had set up in Philadelphia and south Jersey. Authorities allege those companies were shells that performed little or no work, but were set up to allow the pair to take more than $12 million out of FirstPlus. The indictment charges the defendants with being part of a mob-connected racketeering enterprise that engaged in wire fraud, mail fraud, bank fraud, securities fraud, money-laundering, extortion. and obstruction of justice. Source:

18. November 1, Delaware County Daily Times – (Pennsylvania) Ex-Wachovia Bank employee busted in $500G embezzlement scam. A former Wachovia Bank "financial specialist" is behind bars at the Delaware County, Pennsylvania prison, charged with attempting to embezzle more than $500,000 by transferring cash from customer accounts — many belonging to senior citizens — into accounts he had set up, county authorities said October 31. The man faces multiple felony theft, forgery, identity theft, and related offenses. From February 4, 2008, through March 5, 2009, he allegedly transferred $574,314.69 from customer accounts into accounts he established. On March 3 and 5 in 2009, authorities allege he made three unsuccessful attempts to remove funds from the accounts he had set up. The attempts were thwarted by Wachovia after a signature on a check and two suspicious electronic transfers were questioned. Two additional checks drawn on the man's Wachovia accounts in the amount of $9,500 were presented to PNC Bank on March 2 and 3 in 2009 — both of which were returned to PNC based on what authorities said was Wachovia becoming aware of the man's actions. Source:

19. November 1, Chicago Tribune – (Illinois) Dozen real estate loans at center of FDIC's $127M suit in Mutual Bank failure. The Federal Deposit Insurance Corporation (FDIC) brought a $127 million lawsuit against officers and directors of the Harvey, Illinois-based Mutual Bank, which failed in July 2009. The lawsuit outlines how nearly $1.1 million of the bank's assets were "wasted" on extravagances, such as a $250,000 wedding and a $300,000 board meeting in Monte Carlo, Monaco. Insiders also paid themselves $10.5 million in dividends as the bank was tanking. The bulk of what the FDIC is seeking to recover is the more than $115 million in losses on 12 real estate loans. The FDIC said many of the bank's bad loans, which were concentrated in the hotel industry, originated after the real estate market began its "precipitous" decline in late 2006. Source:,0,2780049.story

20. November 1, Reuters – (National; International) Clients scramble for money after MF Global shock. MF Global failed to protect customer accounts by keeping them separate from the firm's funds, a top U.S. regulator said November 1, as administrators to the collapsed brokerage's United Kingdom (UK) arm scrambled to close out billions of dollars worth of client positions. The fall of the group sent shockwaves through commodities markets, as traders feared the damage could spread, or similar problems occur with other players. KPMG, appointed as administrators to MF Global's UK arm, said it had been busy closing out positions all day under a new UK regime set up to prevent a repeat of the slow and painful work-out of the 2008 collapse of Lehman Brothers. KPMG's head of restructuring told Reuters he was confident clients would see their money again: "Our strategy this morning has been ... where we have clients whose position is reconciled, and are due funds, then that money will flow," he said. MF Global's main exchange regulator, the Chicago Mercantile Exchange Group (CME), said the futures broker failed to keep customers accounts separate from the firm's funds, violating a central tenet of futures brokerage. "CME has determined MF Global is not in compliance with Commodity Futures Trading Commission and CME customer segregation requirements," the company's chief executive said. The New York Times reported federal regulators discovered that hundreds of millions of dollars in customer money — supposed to be segregated, and protected from the rest of the business — had gone missing. MF Global filed for bankruptcy protection October 31. In Australia, trading in grain futures and options was suspended by bourse operator ASX Ltd , prompting concerns about the integrity of the country's agricultural futures market. The London Metal Exchange said in a statement it had suspended MF Global from trading with immediate effect, following a similar move by the CME Group. Source:

21. October 31, Des Moines Register – (Iowa) Former Clarksville bank cashier to plead guilty. A former cashier at Iowa State Bank in Clarksville will plead guilty November 4 to embezzling $6 million over the past two decades, court records show. The former cashier is charged with stealing the money between 1991 and 2010. A bank examination by the Federal Deposit Insurance Corporation in May revealed discrepancies in the bank’s general ledger. The FBI and U.S. Secret Service took over the investigation. The bank filed a civil lawsuit against the man in Butler County District Court in June, accusing him of transferring bank funds to his own accounts and hiding the thefts by creating false accounts and transactions. The U.S. attorney’s office October 24 filed the embezzlement and the identity theft charges accusing the former cashier of using someone else’s name and Social Security number to help him embezzle the money. Source:

22. October 31, Associated Press – (Texas) Ex-Laredo bank officer pleads guilty in $8M fraud. A bank officer in south Texas blamed for stealing more than $8 million from customer accounts pleaded guilty October 31 in a fraud investigation. Prosecutors said the former officer pleaded guilty to conspiracy to commit bank fraud, and conspiracy to launder money. The woman was an international banking officer with Compass Bank in Laredo when an audit revealed the 2009 scheme. The officer, in the plea deal, said she used the stolen funds to buy vehicles, make investments, and purchase a condominium on South Padre Island. The woman, who must make restitution, faces up to 30 years in prison on the bank fraud count, and 10 years for conspiracy to launder money. Source:

23. October 31, Hickory Daily Record – (North Carolina) Hickory man pleads guilty to mortgage fraud. A Hickory, North Carolina man pleaded guilty October 31 in federal district court to five charges that he defrauded dozens in the region who sought to buy or finance manufactured homes. He was charged with one count of conspiracy to commit wire fraud and making false statements to the Department of Housing and Urban Development (HUD), two counts of making false statements to HUD, and two counts of wire fraud. He was the manager of Homes America (HA) in Hudson, which was a branch of Phoenix Housing Group out of Greensboro. According to a press release from the U.S. attorney’s office, he was involved with up to 154 HUD-insured mortgage loans from 2004 to 2008. Those loans were worth $16 million, and the losses surpassed $4.8 million. He lured customers to HA by misrepresenting financial terms, including stating the business had a rent-to-own program — something it never had, the U.S. attorney’s office said. He also collected down payment funds without giving borrowers credit for it, collected borrowers’ information through documents, and gave that data to lenders. On some of the documents, he altered or forged information about the customers’ assets, income, and credit so they would qualify for mortgages they otherwise would not qualify for. Information from the U.S. attorney’s office also stated he obtained inflated appraisals, misrepresented the source of down payment money, and coerced consumers to sign closing documents. He faces a maximum of 29 years in prison and $1.25 million. Phoenix Housing Group, including HA, closed in January 2011 as part of a settlement with the North Carolina Attorney General’s Office, according to the U.S. attorney’s office. Source:

Information Technology Sector

40. October 31, SC Magazine – (National) Researcher finds way to send executable file on Facebook. Researchers have discovered a way to evade Facebook security controls to deliver a message on the social networking site that contains an executable file. Facebook normally strips out messages that contain executables from its private messaging feature. But a yet-to-be-fixed vulnerability, discovered by a penetration tester could enable someone to undermine these security controls by altering the 'POST' request, which is used to send data to a server. The researchers captured the POST query that is sent when attempting to upload an attachment, and altered the coding. "It was discovered the variable 'filename' was being parsed to determine if the file type is allowed or not," according to the vulnerability disclosure. "To subvert the security mechanisms to allow an .exe file type, we modified the POST request by appending a space to our filename variable." Doing this allowed the researchers to "trick the parser" and attach an executable to the message. A bug like this is dangerous because it could allow criminals to send messages that contain malware. Power reported the vulnerability to Facebook September 30, and the company acknowledged its existence October 26. Source:

41. October 31, SC Magazine – (International) German researchers disclose Amazon cloud vulnerability. Amazon has fixed a cryptographic hole in its Elastic Compute Cloud (EC2) and Simple Storage Service (S3) services that could allow hackers to compromise customer accounts. The signature-wrapping and cross-site scripting (XSS) attacks hijacked control interfaces used to manage cloud computing resources, which allowed attackers to create, modify, and delete machine images, and change administrative passwords and settings. “Effectively, a successful attack on a cloud control interface grants the attacker a complete power over the victim's account, with all the stored data included,” researchers at Germany's Ruhr University wrote in a paper. In one attack, researchers discovered weaknesses in control interfaces that opened them up to new and known XML signature-wrapping attacks. They generated arbitrary Simple Object Access Protocol (SOAP) messages that were accepted by the control interface because application signature verification and XML interpretation were handled separately. Full compromise required knowledge of a signed SOAP message, while a single arbitrary cloud control operation could be executed with knowledge of a public X.509 certificate. "This attack was made possible by the simple fact the Amazon shop and the Amazon cloud control interfaces share the same login credentials, thus any XSS attack on the (necessarily complex) shop interface can be turned into an XSS attack on the cloud control interface," the researchers wrote. Similar injection attacks also worked against the Eucalyptus cloud computer software. Amazon confirmed the attacks and closed the security holes prior to disclosure, according to the chair of network and data security at the university. Source:

42. October 31, IDG News Services – (International) Old image resize script leaves 1 million Web pages compromised. A serious code injection vulnerability affecting timthumb, a popular image resize script used in many WordPress themes and plugins, has been exploited in recent months to compromise more than 1 million Web pages, IDG News Services reported October 31. Estimating the impact is not an easy task, according to Web site integrity monitoring vendor Sucuri Security, which monitored the fallout of this flaw since it was first announced at the beginning of August. The company's researchers have devised a method that involves using Google to search for compromised pages where the malicious code malfunctioned. "If you are familiar with PHP/WordPress, you'll notice that [the attack] is adding the output of this function (counter_wordpress, which calls to the header of the compromised site," a Sucuri security spokesman said. Searching for this error on Google returned over 1 million results and using filters for the last 30 days, returned over 200,000. There are other factors to consider as well when trying to estimate the impact, such as the fact Google results correspond to compromised pages, not Web sites, as one Web site can have multiple pages infected. Also, not all servers have the display_errors feature enabled in PHP, which means no error will be outputted even if a site is affected. There is no telling how many Web sites compromised by different exploits targeting this vulnerability are out there. The spokesman believes there could be a few million. Source:

43. October 31, Softpedia – (National) Phishing campaign fake legitimate Apple emails, steals victims ID and password. A phishing campaign that involves the reputation of Apple has been seen invading in-boxes, Softpedia reported October 31. The rogue message perfectly replicates alerts received by customers when the company notifies them on changes to their accounts. A Trend Micro researcher came across a message that looked very much like the genuine message he had received not long ago from the Cupertino, California, firm. The fake e-mail seems to come from “” and is sent via Coming with the subject ”Account Info Change,” it perfectly replicates most visual aspects of the real deal. The link mentioned before is masked to look authentic, but in fact it leads the unsuspecting user to a phishing site hosted on a free domain. It asks the customer to provide an ID and a password, the information being sent to the masterminds that designed the whole scheme. These operations provide access to one's Apple account, which contains a lot of sensitive data such as credit card information, address, and phone numbers. Source:

44. October 30, Dark Reading – (National) Nearly a third of execs say rogue mobile devices are linked to their networks. Organizations are concerned about the dangers posed by unauthorized mobile devices, according to a study published the week of October 24, but many are not sure what is being done about it. According to a Deloitte poll of nearly 1,200 U.S. IT and business executives about mobile security, some 28.4 percent of survey respondents believe there are unauthorized PDAs, tablets, or a combination of both connecting to their enterprise intranets, and particularly their e-mail servers. Nearly 87 percent of respondents think their companies are at risk for a cyberattack originating from a mobile security lapse, the survey said. Yet, according to the survey, 40 percent of respondents do not know whether their organizations have strategies, policies, procedures, or technology controls in place to effectively enforce mobile security. Source:

For another story, see item 47 below in the Communications Sector

Communications Sector

45. November 1, Hartford Courant – (Connecticut) AT&T says crews making progress restoring cell phone service. AT&T said November 1 it is progressing in its efforts to restore cell phone service in Connecticut. About 150 of the telecommunication companies' Connecticut cell towers, sustained damage as a result of the October 29 Nor'easter, resulting in spotty service for some of its wireless phone customers. Cell towers require electricity to function. "We have deployed generators and crews across the storm-impacted areas and are working around the clock to address service issues," the AT&T spokeswoman for the Northeast Region said. "We also continue to work with local Connecticut utility companies as they restore commercial power to affected cell sites and facilities." Bloomfield residents, for example, had their service restored November 1. On October 30, AT&T told state officials 152 cell towers had been damaged by the storm, and that cell phone service would likely be disrupted in some portions of the state, according to the Connecticut governor. Verizon Wireless said October 31 that 10 percent of its network was affected by storm damage. "Overall, the network is performing well. Any scattered service issues we have seen have been attributable to local cable/landline network outages, or lack of available power," a Verizon Wireless spokesman said. Neither telecommunications company would disclose how many cell phone towers they operates in the state, or how many were affected by the storm. Source:,0,4486469.story

46. November 1, Devner Post – (Colorado) Cell phone service restored to northern and central Colorado mountain areas. Wireless cell phone service, and long-distance telephone land line service, was restored in the Colorado mountains November 1. Service went down October 31 at about 2 p.m. after a "third party" cut a fiber-optic line, a CenturyLink spokesman said. The cut line, in Summit County, knocked out cell phone service to Verizon, AT&T, Sprint, and T-Mobile customers. It affected 32 cell phone tower locations northwest of Frisco, including Steamboat Springs, Craig, and Winter Park. The cut also disrupted long-distance service for land lines. Source:

47. October 31, FierceCable – (National) Cable MSOs hustle in snowstorm's wake to restore TV, phone, Internet service. A winter storm that impacted communities from Maryland to Maine over the weekend of October 29 and 30 left cable operators hustling to restore cable TV, phone, and Internet service to subscribers. With leaves still on trees in the Northeast, falling tree limbs sparked power outages and impacted telecom services. "We have a significant number of Connecticut, New Jersey and Westchester/Hudson Valley customers experiencing service disruptions, primarily related to the loss of electrical power," a Cablevision spokesman said October 31. "We have crews in the field and are working around the clock, in cooperation with local utilities, to restore service as quickly as possible," he added. Verizon said it has seen a spike in outages in areas hit hardest by the storm such as parts of New York and Massachusetts. "Our crews are working to restore service, repair downed poles, and do any other necessary work. We've assigned additional field technicians and customer service reps to ensure repairs are tended to," a Verizon spokeswoman said. Some subscribers to Service Electric in northwestern New Jersey also reported October 30 that they had lost phone and high-speed Internet service. Comcast and Time Warner Cable also operate systems in areas impacted by the storm. Source:

For more stories, see items 40 and 44 above in the Information Technology Sector